diff --git a/Dockerfile b/Dockerfile index 9c8e06b7d7..cfdb332567 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,161 +1,27 @@ -FROM ubuntu:jammy-20240227 AS ubuntu -LABEL org.opencontainers.image.source=https://github.com/vexxhost/atmosphere - -FROM ubuntu AS helm -ARG TARGETOS -ARG TARGETARCH -ARG HELM_VERSION=3.14.0 -ADD https://get.helm.sh/helm-v${HELM_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz /helm.tar.gz -RUN tar -xzf /helm.tar.gz -RUN mv /${TARGETOS}-${TARGETARCH}/helm /usr/bin/helm - -FROM ubuntu AS ubuntu-cloud-archive -ADD --chmod=644 https://git.launchpad.net/ubuntu/+source/ubuntu-keyring/plain/keyrings/ubuntu-cloud-keyring.gpg /etc/apt/trusted.gpg.d/ubuntu-cloud-keyring.gpg -ARG RELEASE -RUN < /etc/apt/sources.list.d/cloudarchive.list; \ - elif [ "${RELEASE}" = "zed" ]; then \ - echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu \${VERSION_CODENAME}-updates/${RELEASE} main" > /etc/apt/sources.list.d/cloudarchive.list; \ - elif [ "${RELEASE}" = "2023.1" ]; then \ - echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu \${VERSION_CODENAME}-updates/antelope main" > /etc/apt/sources.list.d/cloudarchive.list; \ - elif [ "${RELEASE}" = "2023.2" ]; then \ - echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu \${VERSION_CODENAME}-updates/bobcat main" > /etc/apt/sources.list.d/cloudarchive.list; \ - elif [ "${RELEASE}" = "master" ]; then \ - echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu \${VERSION_CODENAME}-updates/caracal main" > /etc/apt/sources.list.d/cloudarchive.list; \ - else \ - echo "${RELEASE} is not supported on \${VERSION_CODENAME}"; \ - exit 1; \ - fi; \ -else - echo "Unsupported release"; \ - exit 1; \ -fi -EOF - -FROM alpine/git AS requirements -ARG BRANCH -ADD https://opendev.org/openstack/requirements.git#${BRANCH} /src -RUN < requirements.txt @@ -114,10 +93,15 @@ build.collections: SAVE IMAGE --cache-hint image: - ARG RELEASE=2023.1 - FROM ./images/cloud-archive-base+image --RELEASE ${RELEASE} + FROM ubuntu:jammy ENV ANSIBLE_PIPELINING=True - DO ./images+APT_INSTALL --PACKAGES "rsync openssh-client" + RUN <" - exit 1 -fi - -docker buildx create --name=atmosphere --driver=docker-container || true - -if [ "$PUSH" = true ]; then - docker buildx bake --builder=atmosphere --provenance --sbom=true --push $TARGET - - # Sign all images - export COSIGN_PASSWORD="" - for IMAGE in $(docker buildx bake --print ${TARGET} | jq -r '.target[].tags | select(. != null)[]'); do - cosign sign -y --recursive --key cosign.key ${IMAGE} - done -else - docker buildx bake --builder=atmosphere --provenance --sbom=true $TARGET -fi diff --git a/images/builder/Earthfile b/images/builder/Earthfile deleted file mode 100644 index f4e92d3fa4..0000000000 --- a/images/builder/Earthfile +++ /dev/null @@ -1,7 +0,0 @@ -VERSION 0.7 - -image: - FROM ../base+image - DO ../+APT_INSTALL --PACKAGES "build-essential git python3-dev python3-pip python3-venv" - ARG POETRY_VERSION=1.4.2 - RUN pip3 install --no-cache-dir poetry==${POETRY_VERSION} diff --git a/images/cinder/Dockerfile b/images/cinder/Dockerfile new file mode 100644 index 0000000000..ed59f46707 --- /dev/null +++ b/images/cinder/Dockerfile @@ -0,0 +1,37 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +FROM openstack-venv-builder AS build +ARG CINDER_GIT_REF +ADD --keep-git-dir=true https://opendev.org/openstack/cinder.git#${CINDER_GIT_REF} /src/cinder +RUN git -C /src/cinder fetch --unshallow +# COPY patches/cinder /patches/cinder +# RUN git -C /src/cinder apply --verbose /patches/cinder/* +RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private < +Date: Fri, 1 Mar 2024 13:50:13 +0800 +Subject: [PATCH 1/3] Create encrypted volumes directly to RBD + +This fix slow on create encrypted volumes with temp file import. +Encrypted volume create is now directly upload to RBD with qemu-img +command without temprory image file generated. + +Closes-Bug: #2055517 +Change-Id: If7a72a4acd5600de1350289a9d9c38017d42659e +--- + cinder/tests/unit/volume/drivers/test_rbd.py | 9 +-- + cinder/volume/drivers/rbd.py | 62 +++++++++---------- + ...ate-encrypted-volume-c1bb6b44b85c0242.yaml | 7 +++ + 3 files changed, 40 insertions(+), 38 deletions(-) + create mode 100644 releasenotes/notes/improve-create-encrypted-volume-c1bb6b44b85c0242.yaml + +diff --git a/cinder/tests/unit/volume/drivers/test_rbd.py b/cinder/tests/unit/volume/drivers/test_rbd.py +index f1ffeb89e..cf768df06 100644 +--- a/cinder/tests/unit/volume/drivers/test_rbd.py ++++ b/cinder/tests/unit/volume/drivers/test_rbd.py +@@ -3247,7 +3247,6 @@ class RBDTestCase(test.TestCase): + self.__dict__ = d + + mock_temp_file.return_value.__enter__.side_effect = [ +- DictObj({'name': '/imgfile'}), + DictObj({'name': '/passfile'})] + + key_mgr = fake_keymgr.fake_api() +@@ -3268,15 +3267,13 @@ class RBDTestCase(test.TestCase): + self.context) + mock_open.assert_called_with('/passfile', 'w') + +- mock_exec.assert_any_call( ++ mock_exec.assert_called_with( + 'qemu-img', 'create', '-f', 'luks', '-o', + 'cipher-alg=aes-256,cipher-mode=xts,ivgen-alg=essiv', + '--object', + 'secret,id=luks_sec,format=raw,file=/passfile', +- '-o', 'key-secret=luks_sec', '/imgfile', '12288M') +- mock_exec.assert_any_call( +- 'rbd', 'import', '--dest-pool', 'rbd', '--order', 22, +- '/imgfile', self.volume_c.name) ++ '-o', 'key-secret=luks_sec', 'rbd:rbd/%s' % self.volume_c.name, ++ '12288M') + + @mock.patch('cinder.objects.Volume.get_by_id') + @mock.patch('cinder.db.volume_glance_metadata_get', return_value={}) +diff --git a/cinder/volume/drivers/rbd.py b/cinder/volume/drivers/rbd.py +index 1f4dac8d9..aace801f3 100644 +--- a/cinder/volume/drivers/rbd.py ++++ b/cinder/volume/drivers/rbd.py +@@ -1089,8 +1089,8 @@ class RBDDriver(driver.CloneableImageVD, driver.MigrateVD, + context: context.RequestContext) -> None: + """Create an encrypted volume. + +- This works by creating an encrypted image locally, +- and then uploading it to the volume. ++ This works by creating an encrypted image and ++ then uploading it to the volume directly. + """ + encryption = volume_utils.check_encryption_provider(volume, context) + +@@ -1102,37 +1102,35 @@ class RBDDriver(driver.CloneableImageVD, driver.MigrateVD, + # create a file + tmp_dir = volume_utils.image_conversion_dir() + +- with tempfile.NamedTemporaryFile(dir=tmp_dir) as tmp_image: +- with tempfile.NamedTemporaryFile(dir=tmp_dir) as tmp_key: +- with open(tmp_key.name, 'w') as f: +- f.write(passphrase) +- +- cipher_spec = image_utils.decode_cipher(encryption['cipher'], +- encryption['key_size']) +- +- create_cmd = ( +- 'qemu-img', 'create', '-f', 'luks', +- '-o', 'cipher-alg=%(cipher_alg)s,' +- 'cipher-mode=%(cipher_mode)s,' +- 'ivgen-alg=%(ivgen_alg)s' % cipher_spec, +- '--object', 'secret,id=luks_sec,' +- 'format=raw,file=%(passfile)s' % {'passfile': +- tmp_key.name}, +- '-o', 'key-secret=luks_sec', +- tmp_image.name, +- '%sM' % (volume.size * 1024)) +- self._execute(*create_cmd) +- +- # Copy image into RBD +- chunk_size = self.configuration.rbd_store_chunk_size * units.Mi +- order = int(math.log(chunk_size, 2)) ++ with tempfile.NamedTemporaryFile(dir=tmp_dir) as tmp_key: ++ with open(tmp_key.name, 'w') as f: ++ f.write(passphrase) + +- cmd = ['rbd', 'import', +- '--dest-pool', self.configuration.rbd_pool, +- '--order', order, +- tmp_image.name, volume.name] +- cmd.extend(self._ceph_args()) +- self._execute(*cmd) ++ cipher_spec = image_utils.decode_cipher(encryption['cipher'], ++ encryption['key_size']) ++ ++ _, conf, user_id, _ = self._get_config_tuple() ++ rbd_options = '' ++ if user_id: ++ rbd_options += ':id=%(user_id)s' % {'user_id': user_id} ++ if conf: ++ rbd_options += ':conf=%(conf)s' % {'conf': conf} ++ create_cmd = ( ++ 'qemu-img', 'create', '-f', 'luks', ++ '-o', 'cipher-alg=%(cipher_alg)s,' ++ 'cipher-mode=%(cipher_mode)s,' ++ 'ivgen-alg=%(ivgen_alg)s' % cipher_spec, ++ '--object', 'secret,id=luks_sec,' ++ 'format=raw,file=%(passfile)s' % {'passfile': ++ tmp_key.name}, ++ '-o', 'key-secret=luks_sec', ++ 'rbd:%(pool_name)s/%(image_name)s%(rbd_options)s' % { ++ 'pool_name': self.configuration.rbd_pool, ++ 'image_name': volume.name, ++ 'rbd_options': rbd_options ++ }, ++ '%sM' % (volume.size * 1024)) ++ self._execute(*create_cmd) + + def create_volume(self, volume: Volume) -> dict[str, Any]: + """Creates a logical volume.""" +diff --git a/releasenotes/notes/improve-create-encrypted-volume-c1bb6b44b85c0242.yaml b/releasenotes/notes/improve-create-encrypted-volume-c1bb6b44b85c0242.yaml +new file mode 100644 +index 000000000..8bdff6746 +--- /dev/null ++++ b/releasenotes/notes/improve-create-encrypted-volume-c1bb6b44b85c0242.yaml +@@ -0,0 +1,7 @@ ++--- ++fixes: ++ - | ++ [Bug 255517](https://bugs.launchpad.net/cinder/+bug/2055517): Fix slow ++ on create encrypted volumes with temp file import. Encrypted volume create ++ is now directly upload to rbd with qemu-img command without temprory image ++ file generated. +-- +2.34.1 diff --git a/images/cinder/patches/cinder/0002-Allow-clone-encrypted-image-to-encrypted-volume.patch b/images/cinder/patches/cinder/0002-Allow-clone-encrypted-image-to-encrypted-volume.patch new file mode 100644 index 0000000000..db47071c3f --- /dev/null +++ b/images/cinder/patches/cinder/0002-Allow-clone-encrypted-image-to-encrypted-volume.patch @@ -0,0 +1,129 @@ +From c47fb9f0209076182787f06b306f30c3e1948592 Mon Sep 17 00:00:00 2001 +From: ricolin +Date: Sat, 16 Mar 2024 00:35:12 +0800 +Subject: [PATCH 2/3] Allow clone encrypted image to encrypted volume + +Exactly like what we did in copy-and-import image when create encrypted +volume from encrypted image. If the image is encrypted, we will copy +`cinder_encryption_key_id` from image metadata to volume. That means we +should be safe to try directly clone from encrypted image. + +Related-Bug: #2055517 +Change-Id: Id6a1452c2c197a58677bf181470f54565fbd263b +--- + .../volume/flows/test_create_volume_flow.py | 46 +++++++++++++++++++ + cinder/volume/flows/manager/create_volume.py | 9 +++- + ...clone-encryped-image-6961ca1439825dc4.yaml | 8 ++++ + 3 files changed, 61 insertions(+), 2 deletions(-) + create mode 100644 releasenotes/notes/allow-clone-encryped-image-6961ca1439825dc4.yaml + +diff --git a/cinder/tests/unit/volume/flows/test_create_volume_flow.py b/cinder/tests/unit/volume/flows/test_create_volume_flow.py +index ad5735596..6ff97aaa0 100644 +--- a/cinder/tests/unit/volume/flows/test_create_volume_flow.py ++++ b/cinder/tests/unit/volume/flows/test_create_volume_flow.py +@@ -1203,6 +1203,7 @@ class CreateVolumeFlowManagerTestCase(test.TestCase): + encryption_key_id=fakes.ENCRYPTION_KEY_ID, + host='host@backend#pool') + ++ fake_driver.clone_image.return_value = (None, False) + fake_image_service = fake_image.FakeImageService() + image_meta = {} + image_id = fakes.IMAGE_ID +@@ -1219,6 +1220,7 @@ class CreateVolumeFlowManagerTestCase(test.TestCase): + image_meta, fake_image_service) + + fake_driver.create_volume.assert_called_once_with(volume) ++ fake_driver.clone_image.assert_called_once() + fake_driver.copy_image_to_encrypted_volume.assert_not_called() + fake_driver.copy_image_to_volume.assert_called_once_with( + self.ctxt, volume, fake_image_service, image_id, +@@ -1228,6 +1230,50 @@ class CreateVolumeFlowManagerTestCase(test.TestCase): + image_meta=image_meta) + mock_cleanup_cg.assert_called_once_with(volume) + ++ @mock.patch('cinder.volume.flows.manager.create_volume.' ++ 'CreateVolumeFromSpecTask.' ++ '_handle_bootable_volume_glance_meta') ++ @mock.patch('cinder.image.image_utils.TemporaryImages.fetch') ++ @mock.patch('cinder.image.image_utils.qemu_img_info') ++ @mock.patch('cinder.image.image_utils.check_virtual_size') ++ def test_create_encrypted_volume_from_enc_image_clone( ++ self, mock_check_size, mock_qemu_img, ++ mock_fetch_img, mock_handle_bootable ++ ): ++ fake_db = mock.MagicMock() ++ fake_driver = mock.MagicMock() ++ fake_volume_manager = mock.MagicMock() ++ fake_manager = create_volume_manager.CreateVolumeFromSpecTask( ++ fake_volume_manager, fake_db, fake_driver) ++ volume = fake_volume.fake_volume_obj( ++ self.ctxt, ++ encryption_key_id=fakes.ENCRYPTION_KEY_ID, ++ host='host@backend#pool') ++ ++ fake_driver.clone_image.return_value = (None, True) ++ fake_image_service = fake_image.FakeImageService() ++ image_meta = {} ++ image_id = fakes.IMAGE_ID ++ image_meta['id'] = image_id ++ image_meta['status'] = 'active' ++ image_meta['size'] = 1 ++ image_meta['cinder_encryption_key_id'] = \ ++ '00000000-0000-0000-0000-000000000000' ++ image_location = 'abc' ++ ++ fake_db.volume_update.return_value = volume ++ fake_manager._create_from_image(self.ctxt, volume, ++ image_location, image_id, ++ image_meta, fake_image_service) ++ ++ fake_driver.create_volume.assert_not_called() ++ fake_driver.clone_image.assert_called_once() ++ fake_driver.copy_image_to_encrypted_volume.assert_not_called() ++ fake_driver.copy_image_to_volume.assert_not_called() ++ mock_handle_bootable.assert_called_once_with(self.ctxt, volume, ++ image_id=image_id, ++ image_meta=image_meta) ++ + @ddt.data({'driver_error': True}, + {'driver_error': False}) + @mock.patch('cinder.backup.api.API.get_available_backup_service_host') +diff --git a/cinder/volume/flows/manager/create_volume.py b/cinder/volume/flows/manager/create_volume.py +index ac09ed898..549a49b00 100644 +--- a/cinder/volume/flows/manager/create_volume.py ++++ b/cinder/volume/flows/manager/create_volume.py +@@ -1087,11 +1087,16 @@ class CreateVolumeFromSpecTask(flow_utils.CinderTask): + # dict containing provider_location for cloned volume + # and clone status. + # NOTE (lixiaoy1): Currently all images are raw data, we can't +- # use clone_image to copy data if new volume is encrypted. ++ # use clone_image to copy data if new volume is encrypted ++ # NOTE (ricolin): If the image provided an encryption key, we have ++ # already cloned it to the volume's key in ++ # _get_encryption_key_id, so we can do a direct clone. ++ image_encryption_key = image_meta.get('cinder_encryption_key_id') + volume_is_encrypted = volume.encryption_key_id is not None + cloned = False + model_update = None +- if not volume_is_encrypted: ++ if not volume_is_encrypted or ( ++ volume_is_encrypted and image_encryption_key): + model_update, cloned = self.driver.clone_image(context, + volume, + image_location, +diff --git a/releasenotes/notes/allow-clone-encryped-image-6961ca1439825dc4.yaml b/releasenotes/notes/allow-clone-encryped-image-6961ca1439825dc4.yaml +new file mode 100644 +index 000000000..d6c7e8eb8 +--- /dev/null ++++ b/releasenotes/notes/allow-clone-encryped-image-6961ca1439825dc4.yaml +@@ -0,0 +1,8 @@ ++--- ++features: ++ - | ++ Allow clone encrypted image when create encrypted volume from image. ++ Exactly like what we did in copy-and-import image when create encrypted ++ volume from encrypted image. If the image is encrypted, we will copy ++ `cinder_encryption_key_id` from image metadata to volume. That means we ++ should be safe to try directly clone from encrypted image. +-- +2.34.1 diff --git a/images/cinder/patches/cinder/0003-Allow-encrypted-volume-clone-from-Glance-image.patch b/images/cinder/patches/cinder/0003-Allow-encrypted-volume-clone-from-Glance-image.patch new file mode 100644 index 0000000000..f436449897 --- /dev/null +++ b/images/cinder/patches/cinder/0003-Allow-encrypted-volume-clone-from-Glance-image.patch @@ -0,0 +1,319 @@ +From 97953c8bd8c7d61a3f68c3e829ff79290315ec5b Mon Sep 17 00:00:00 2001 +From: ricolin +Date: Fri, 15 Mar 2024 23:26:14 +0800 +Subject: [PATCH 3/3] Allow encrypted volume clone from Glance image + +Allow clone image when creating encrypted volume from Glance image if both +stored in RBD. +Previously, Glance image clone is not supported for encrypted volume +creation. The old process is to download image to local disk, encrypt the +local file, and import it back to RBD. This not just slow, but also +protentially take large amount of local disk space from hosts that runs +Cinder volume service. +The new process is to try and clone from Glance image (if it's also stored +in RBD), flatten it, and encrypting new image in RBD for volume. And If +Glance image source is not clonable, will continue with copy-and-import +method as previous flow. +In above flow, If clone from Glance image is appliable. Even it still +requires to clone and flatten RBD image might took some time, but should +still be a lot faster than copy-and-import. And also no local disk will +be used to store raw image in this case. +This also introduced driver method `clone_image_and_encrypt` for drivers +that seperate the clone process from non-encrypted volume so the create +flow won't be affected. + +Related-Bug: #2055517 +Change-Id: Ia023646d8bc9468bf5cc8955f7013299b2a3a460 +--- + .../volume/flows/test_create_volume_flow.py | 49 ++++++++++ + cinder/volume/driver.py | 11 +++ + cinder/volume/drivers/rbd.py | 95 ++++++++++++++++--- + cinder/volume/flows/manager/create_volume.py | 8 +- + ...for-encrypted-volume-de477647e9016b8b.yaml | 21 ++++ + 5 files changed, 167 insertions(+), 17 deletions(-) + create mode 100644 releasenotes/notes/allow-clone-image-for-encrypted-volume-de477647e9016b8b.yaml + +diff --git a/cinder/tests/unit/volume/flows/test_create_volume_flow.py b/cinder/tests/unit/volume/flows/test_create_volume_flow.py +index 6ff97aaa0..a85bf7eec 100644 +--- a/cinder/tests/unit/volume/flows/test_create_volume_flow.py ++++ b/cinder/tests/unit/volume/flows/test_create_volume_flow.py +@@ -1164,6 +1164,7 @@ class CreateVolumeFlowManagerTestCase(test.TestCase): + image_location = 'abc' + + fake_db.volume_update.return_value = volume ++ fake_driver.clone_image_and_encrypt.return_value = (None, False) + fake_manager._create_from_image(self.ctxt, volume, + image_location, image_id, + image_meta, fake_image_service) +@@ -1178,6 +1179,54 @@ class CreateVolumeFlowManagerTestCase(test.TestCase): + image_meta=image_meta) + mock_cleanup_cg.assert_called_once_with(volume) + ++ @mock.patch('cinder.volume.flows.manager.create_volume.' ++ 'CreateVolumeFromSpecTask.' ++ '_prepare_image_cache_entry') ++ @mock.patch('cinder.volume.flows.manager.create_volume.' ++ 'CreateVolumeFromSpecTask.' ++ '_handle_bootable_volume_glance_meta') ++ @mock.patch('cinder.image.image_utils.TemporaryImages.fetch') ++ @mock.patch('cinder.image.image_utils.qemu_img_info') ++ @mock.patch('cinder.image.image_utils.check_virtual_size') ++ def test_create_encrypted_volume_from_image_clone( ++ self, mock_check_size, mock_qemu_img, mock_fetch_img, ++ mock_handle_bootable, mock_prepare_image_cache ++ ): ++ fake_db = mock.MagicMock() ++ fake_driver = mock.MagicMock() ++ fake_volume_manager = mock.MagicMock() ++ fake_cache = mock.MagicMock() ++ fake_manager = create_volume_manager.CreateVolumeFromSpecTask( ++ fake_volume_manager, fake_db, fake_driver, fake_cache) ++ volume = fake_volume.fake_volume_obj( ++ self.ctxt, ++ encryption_key_id=fakes.ENCRYPTION_KEY_ID, ++ host='host@backend#pool') ++ ++ fake_image_service = fake_image.FakeImageService() ++ image_meta = {} ++ image_id = fakes.IMAGE_ID ++ image_meta['id'] = image_id ++ image_meta['status'] = 'active' ++ image_meta['size'] = 1 ++ image_location = 'abc' ++ ++ fake_db.volume_update.return_value = volume ++ fake_driver.clone_image_and_encrypt.return_value = (None, True) ++ fake_manager._create_from_image(self.ctxt, volume, ++ image_location, image_id, ++ image_meta, fake_image_service) ++ ++ mock_prepare_image_cache.assert_not_called() ++ fake_driver.create_volume.assert_not_called() ++ fake_driver.clone_image.assert_not_called() ++ fake_driver.clone_image_and_encrypt.assert_called_once() ++ fake_driver.copy_image_to_encrypted_volume.assert_not_called() ++ fake_driver.copy_image_to_volume.assert_not_called() ++ mock_handle_bootable.assert_called_once_with(self.ctxt, volume, ++ image_id=image_id, ++ image_meta=image_meta) ++ + @mock.patch('cinder.volume.flows.manager.create_volume.' + 'CreateVolumeFromSpecTask.' + '_cleanup_cg_in_volume') +diff --git a/cinder/volume/driver.py b/cinder/volume/driver.py +index 2ff27564b..030b4a8dd 100644 +--- a/cinder/volume/driver.py ++++ b/cinder/volume/driver.py +@@ -1192,6 +1192,17 @@ class BaseVD(object, metaclass=abc.ABCMeta): + """ + return None, False + ++ def clone_image_and_encrypt( ++ self, context, volume, image_location, image_meta, image_service ++ ): ++ """Create and encrypt a volume efficiently from an existing image. ++ ++ Refer to ++ :obj:`cinder.interface.volume_driver.VolumeDriverCore.clone_image` ++ for additional information. ++ """ ++ return None, False ++ + def backup_use_temp_snapshot(self): + """Get the configured setting for backup from snapshot. + +diff --git a/cinder/volume/drivers/rbd.py b/cinder/volume/drivers/rbd.py +index aace801f3..ad0eea9d5 100644 +--- a/cinder/volume/drivers/rbd.py ++++ b/cinder/volume/drivers/rbd.py +@@ -141,6 +141,13 @@ CONF.register_opts(RBD_OPTS, group=configuration.SHARED_CONF_GROUP) + EXTRA_SPECS_REPL_ENABLED = "replication_enabled" + EXTRA_SPECS_MULTIATTACH = "multiattach" + ++# Note(ricolin): Reference ceph site for more information: ++# https://github.com/ceph/ceph/blob/main/src/include/rbd/librbd.h ++RBD_ENCRYPTION_ALG = { ++ 'aes-128': 0, ++ 'aes-256': 1 ++} ++ + QOS_KEY_MAP = { + 'total_iops_sec': { + 'ceph_key': 'rbd_qos_iops_limit', +@@ -1190,6 +1197,20 @@ class RBDDriver(driver.CloneableImageVD, driver.MigrateVD, + + return max(image_stripe_unit, default_stripe_unit) + ++ def _encrypt_volume(self, ++ context: context.RequestContext, ++ volume: Volume, ++ passphrase: str, ++ cipher_spec: dict ++ ) -> None: ++ LOG.debug("Encrypting volume $s", volume.name) ++ with RBDVolumeProxy(self, volume.name) as vol: ++ vol.encryption_format( ++ 0, ++ passphrase, ++ RBD_ENCRYPTION_ALG[cipher_spec['cipher_alg']] ++ ) ++ + def _clone(self, + volume: Volume, + src_pool: str, +@@ -1873,6 +1894,37 @@ class RBDDriver(driver.CloneableImageVD, driver.MigrateVD, + image_location: Optional[list], + image_meta: dict, + image_service) -> tuple[dict, bool]: ++ return self._clone_image(context, volume, image_location, ++ image_meta, image_service) ++ ++ def clone_image_and_encrypt( ++ self, ++ context: context.RequestContext, ++ volume: Volume, ++ image_location: Optional[list], ++ image_meta: dict, ++ image_service ++ ) -> tuple[dict, bool]: ++ ++ # Note(ricolin): method `encryption_format` added after Ceph Pacific ++ # release (>=16.1.0). ++ if self.rbd and hasattr( ++ self.rbd.Image, 'encryption_format') and callable( ++ self.rbd.Image.encryption_format): ++ return self._clone_image( ++ context, volume, image_location, ++ image_meta, image_service, is_encrypt=True) ++ else: ++ return {}, False ++ ++ def _clone_image(self, ++ context: context.RequestContext, ++ volume: Volume, ++ image_location: Optional[list], ++ image_meta: dict, ++ image_service, ++ is_encrypt: Optional[bool] = False ++ ) -> tuple[dict, bool]: + if image_location: + # Note: image_location[0] is glance image direct_url. + # image_location[1] contains the list of all locations (including +@@ -1890,12 +1942,41 @@ class RBDDriver(driver.CloneableImageVD, driver.MigrateVD, + url_location, image_meta): + _prefix, pool, image, snapshot = \ + self._parse_location(url_location) ++ if is_encrypt: ++ passphrase, cipher_spec = self._fetch_encryption_info( ++ context, volume) ++ if cipher_spec['cipher_alg'] not in RBD_ENCRYPTION_ALG: ++ LOG.debug( ++ "Skip clone. Cipher spec: %s not supported " ++ "for encrypt volume directly from RBD.", ++ cipher_spec) ++ return ({}, False) + volume_update = self._clone(volume, pool, image, snapshot) ++ if is_encrypt: ++ self._flatten(self.configuration.rbd_pool, volume.name) ++ self._encrypt_volume( ++ context, volume, passphrase, cipher_spec) + volume_update['provider_location'] = None + self._resize(volume) + return volume_update, True + return ({}, False) + ++ def _fetch_encryption_info(self, ++ context: context.RequestContext, ++ volume: Volume) -> tuple[str, dict]: ++ encryption = volume_utils.check_encryption_provider( ++ volume, ++ context) ++ # Fetch the key associated with the volume and decode the passphrase ++ keymgr = key_manager.API(CONF) ++ key = keymgr.get(context, encryption['encryption_key_id']) ++ passphrase = binascii.hexlify(key.get_encoded()).decode('utf-8') ++ ++ # Decode the dm-crypt style cipher spec into something qemu-img can use ++ cipher_spec = image_utils.decode_cipher(encryption['cipher'], ++ encryption['key_size']) ++ return passphrase, cipher_spec ++ + def copy_image_to_encrypted_volume(self, + context: context.RequestContext, + volume: Volume, +@@ -1920,18 +2001,8 @@ class RBDDriver(driver.CloneableImageVD, driver.MigrateVD, + volume: Volume, + tmp_dir: str, + src_image_path: Any) -> None: +- encryption = volume_utils.check_encryption_provider( +- volume, +- context) +- +- # Fetch the key associated with the volume and decode the passphrase +- keymgr = key_manager.API(CONF) +- key = keymgr.get(context, encryption['encryption_key_id']) +- passphrase = binascii.hexlify(key.get_encoded()).decode('utf-8') +- +- # Decode the dm-crypt style cipher spec into something qemu-img can use +- cipher_spec = image_utils.decode_cipher(encryption['cipher'], +- encryption['key_size']) ++ passphrase, cipher_spec = self._fetch_encryption_info( ++ context, volume) + + tmp_dir = volume_utils.image_conversion_dir() + +diff --git a/cinder/volume/flows/manager/create_volume.py b/cinder/volume/flows/manager/create_volume.py +index 549a49b00..8ea4c0fe1 100644 +--- a/cinder/volume/flows/manager/create_volume.py ++++ b/cinder/volume/flows/manager/create_volume.py +@@ -1086,11 +1086,6 @@ class CreateVolumeFromSpecTask(flow_utils.CinderTask): + # NOTE (singn): two params need to be returned + # dict containing provider_location for cloned volume + # and clone status. +- # NOTE (lixiaoy1): Currently all images are raw data, we can't +- # use clone_image to copy data if new volume is encrypted +- # NOTE (ricolin): If the image provided an encryption key, we have +- # already cloned it to the volume's key in +- # _get_encryption_key_id, so we can do a direct clone. + image_encryption_key = image_meta.get('cinder_encryption_key_id') + volume_is_encrypted = volume.encryption_key_id is not None + cloned = False +@@ -1102,6 +1097,9 @@ class CreateVolumeFromSpecTask(flow_utils.CinderTask): + image_location, + image_meta, + image_service) ++ else: ++ model_update, cloned = self.driver.clone_image_and_encrypt( ++ context, volume, image_location, image_meta, image_service) + + # Try and clone the image if we have it set as a glance location. + if not cloned and 'cinder' in CONF.allowed_direct_url_schemes: +diff --git a/releasenotes/notes/allow-clone-image-for-encrypted-volume-de477647e9016b8b.yaml b/releasenotes/notes/allow-clone-image-for-encrypted-volume-de477647e9016b8b.yaml +new file mode 100644 +index 000000000..63d1f38cd +--- /dev/null ++++ b/releasenotes/notes/allow-clone-image-for-encrypted-volume-de477647e9016b8b.yaml +@@ -0,0 +1,21 @@ ++--- ++features: ++ - | ++ Allow clone image when creating encrypted volume from Glance image if both ++ stored in RBD. ++ Previously, Glance image clone is not supported for encrypted volume ++ creation. The old process is to download image to local disk, encrypt the ++ local file, and import it back to RBD. This not just slow, but also ++ protentially take large amount of local disk space from hosts that runs ++ Cinder volume service. ++ The new process is to try and clone from Glance image (if it's also stored ++ in RBD), flatten it, and encrypting new image in RBD for volume. And If ++ Glance image source is not clonable, will continue with copy-and-import ++ method as previous flow. ++ In above flow, If clone from Glance image is appliable. Even it still ++ requires to clone and flatten RBD image might took some time, but should ++ still be a lot faster than copy-and-import. And also no local disk will ++ be used to store raw image in this case. ++ This also introduced driver method `clone_image_and_encrypt` for drivers ++ that seperate the clone process from non-encrypted volume so the create ++ flow won't be affected. +-- +2.34.1 diff --git a/images/cloud-archive-base/Earthfile b/images/cloud-archive-base/Earthfile deleted file mode 100644 index 473d5d890b..0000000000 --- a/images/cloud-archive-base/Earthfile +++ /dev/null @@ -1,23 +0,0 @@ -VERSION 0.7 - -image: - FROM ../base+image - DO ../+APT_INSTALL --PACKAGES "ca-certificates libpython3.10 lsb-release python3-distutils sudo ubuntu-cloud-keyring" - ARG RELEASE - IF [ "$(lsb_release -sc)" = "jammy" ] - IF [ "${RELEASE}" = "yoga" ] - # NOTE: Yoga shipped with 22.04, so no need to add an extra repository. - RUN echo "" > /etc/apt/sources.list.d/cloudarchive.list - ELSE IF [ "${RELEASE}" = "zed" ] - RUN echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu $(lsb_release -sc)-updates/${RELEASE} main" > /etc/apt/sources.list.d/cloudarchive.list - ELSE IF [ "${RELEASE}" = "2023.1" ] - RUN echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu $(lsb_release -sc)-updates/antelope main" > /etc/apt/sources.list.d/cloudarchive.list - ELSE IF [ "${RELEASE}" = "2023.2" ] - RUN echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu $(lsb_release -sc)-updates/bobcat main" > /etc/apt/sources.list.d/cloudarchive.list - ELSE IF [ "${RELEASE}" = "master" ] - RUN echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu $(lsb_release -sc)-updates/caracal main" > /etc/apt/sources.list.d/cloudarchive.list - ELSE - RUN echo "${RELEASE} is not supported on $(lsb_release -sc)" - RUN exit 1 - END - END diff --git a/images/cluster-api-provider-openstack/Dockerfile b/images/cluster-api-provider-openstack/Dockerfile new file mode 100644 index 0000000000..83baff5696 --- /dev/null +++ b/images/cluster-api-provider-openstack/Dockerfile @@ -0,0 +1,32 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +FROM git AS src +ARG CAPO_VERSION +ADD https://github.com/kubernetes-sigs/cluster-api-provider-openstack.git#${CAPO_VERSION} /src +WORKDIR /src +COPY /patches /patches +RUN git apply /patches/*.patch + +FROM golang AS builder +COPY --from=src --link /src /src +WORKDIR /src +ARG ARCH +RUN CGO_ENABLED=0 GOOS=linux GOARCH=${ARCH} \ + go build -ldflags "-extldflags '-static'" -o manager ${package} + +FROM gcr.io/distroless/static:nonroot +COPY --from=builder /src/manager /manager +USER 65532 +ENTRYPOINT ["/manager"] diff --git a/images/cluster-api-provider-openstack/Earthfile b/images/cluster-api-provider-openstack/Earthfile deleted file mode 100644 index 111f465e08..0000000000 --- a/images/cluster-api-provider-openstack/Earthfile +++ /dev/null @@ -1,18 +0,0 @@ -VERSION 0.7 - -ARG --global CAPO_VERSION=v0.8.0 -ARG --global EPOCH=2 - -clone: - FROM ../builder+image - GIT CLONE --branch ${CAPO_VERSION} https://github.com/kubernetes-sigs/cluster-api-provider-openstack /workspace/src - WORKDIR /workspace/src - COPY patches /workspace/patches - RUN git apply --verbose /workspace/patches/*.patch - SAVE ARTIFACT /workspace/src - -image: - FROM DOCKERFILE -f +clone/src/Dockerfile +clone/src/* - LABEL org.opencontainers.image.source=https://github.com/vexxhost/atmosphere - ARG REGISTRY=ghcr.io/vexxhost/atmosphere - SAVE IMAGE --push ${REGISTRY}/capi-openstack-controller:${CAPO_VERSION}-${EPOCH} diff --git a/images/cluster-api-provider-openstack/patches/0001-chore-bump-k8s-api-for-cve.patch b/images/cluster-api-provider-openstack/patches/0001-chore-bump-k8s-api-for-cve.patch index 2812ac5027..cd99927fe1 100644 --- a/images/cluster-api-provider-openstack/patches/0001-chore-bump-k8s-api-for-cve.patch +++ b/images/cluster-api-provider-openstack/patches/0001-chore-bump-k8s-api-for-cve.patch @@ -1,158 +1,89 @@ -From 139a57e7b0d4c57033e281b061e459039a5e21d3 Mon Sep 17 00:00:00 2001 +From eed5b5cc2a6cf48c0c9e0245695d0ac143150186 Mon Sep 17 00:00:00 2001 From: Mohammed Naser -Date: Mon, 22 Jan 2024 16:22:52 -0500 -Subject: [PATCH 2/2] chore: bump k8s api for cve +Date: Tue, 12 Mar 2024 18:18:25 -0400 +Subject: [PATCH] chore: bump k8s api for cve --- - go.mod | 17 +++++++++-------- - go.sum | 36 +++++++++++++++++++----------------- - 2 files changed, 28 insertions(+), 25 deletions(-) + go.mod | 8 ++++---- + go.sum | 16 ++++++++-------- + 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod -index db4a954a..49d2f7cf 100644 +index 997f8354..d6c300cc 100644 --- a/go.mod +++ b/go.mod -@@ -15,8 +15,8 @@ require ( - github.com/onsi/gomega v1.27.8 - github.com/prometheus/client_golang v1.16.0 +@@ -15,7 +15,7 @@ require ( + github.com/onsi/gomega v1.30.0 + github.com/prometheus/client_golang v1.17.0 github.com/spf13/pflag v1.0.5 -- golang.org/x/crypto v0.11.0 -- golang.org/x/text v0.11.0 -+ golang.org/x/crypto v0.14.0 -+ golang.org/x/text v0.13.0 +- golang.org/x/crypto v0.15.0 ++ golang.org/x/crypto v0.17.0 + golang.org/x/text v0.14.0 gopkg.in/ini.v1 v1.67.0 - k8s.io/api v0.27.2 - k8s.io/apiextensions-apiserver v0.27.2 + k8s.io/api v0.28.4 @@ -24,7 +24,7 @@ require ( - k8s.io/client-go v0.27.2 - k8s.io/component-base v0.27.2 - k8s.io/klog/v2 v2.90.1 -- k8s.io/kubernetes v1.27.2 -+ k8s.io/kubernetes v1.27.8 - k8s.io/utils v0.0.0-20230313181309-38a27ef9d749 - sigs.k8s.io/cluster-api v1.5.1 - sigs.k8s.io/cluster-api/test v1.5.1 -@@ -113,15 +113,16 @@ require ( - go.uber.org/multierr v1.11.0 // indirect - go.uber.org/zap v1.24.0 // indirect - golang.org/x/exp v0.0.0-20230321023759-10a507213a29 // indirect -- golang.org/x/net v0.13.0 // indirect -+ golang.org/x/net v0.17.0 // indirect - golang.org/x/oauth2 v0.10.0 // indirect -- golang.org/x/sys v0.10.0 // indirect -- golang.org/x/term v0.10.0 // indirect -+ golang.org/x/sys v0.13.0 // indirect -+ golang.org/x/term v0.13.0 // indirect + k8s.io/client-go v0.28.4 + k8s.io/component-base v0.28.4 + k8s.io/klog/v2 v2.100.1 +- k8s.io/kubernetes v1.28.3 ++ k8s.io/kubernetes v1.28.4 + k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 + sigs.k8s.io/cluster-api v1.6.0 + sigs.k8s.io/cluster-api/test v1.6.0 +@@ -139,8 +139,8 @@ require ( + golang.org/x/net v0.18.0 // indirect + golang.org/x/oauth2 v0.14.0 // indirect + golang.org/x/sync v0.4.0 // indirect +- golang.org/x/sys v0.14.0 // indirect +- golang.org/x/term v0.14.0 // indirect ++ golang.org/x/sys v0.15.0 // indirect ++ golang.org/x/term v0.15.0 // indirect golang.org/x/time v0.3.0 // indirect -- golang.org/x/tools v0.9.3 // indirect -+ golang.org/x/tools v0.12.0 // indirect - gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect - google.golang.org/appengine v1.6.7 // indirect -- google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect -+ google.golang.org/genproto/googleapis/api v0.0.0-20230525234020-1aefcd67740a // indirect -+ google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 // indirect - google.golang.org/protobuf v1.31.0 // indirect - gopkg.in/inf.v0 v0.9.1 // indirect - gopkg.in/yaml.v2 v2.4.0 // indirect + golang.org/x/tools v0.14.0 // indirect + gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect diff --git a/go.sum b/go.sum -index 66bd8109..f18ece49 100644 +index e3d46fdc..f5767735 100644 --- a/go.sum +++ b/go.sum -@@ -516,8 +516,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y +@@ -460,8 +460,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= --golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA= --golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio= -+golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= -+golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= +-golang.org/x/crypto v0.15.0 h1:frVn1TEaCEaZcn3Tmd7Y2b5KKPaZ+I32Q2OA3kYp5TA= +-golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g= ++golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= ++golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= -@@ -555,7 +555,7 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= - golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= - golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= - golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= --golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk= -+golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc= - golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= - golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= - golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -@@ -596,8 +596,8 @@ golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qx - golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= - golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= - golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= --golang.org/x/net v0.13.0 h1:Nvo8UFsZ8X3BhAC9699Z1j7XQ3rsZnUUm7jfBEk1ueY= --golang.org/x/net v0.13.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA= -+golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= -+golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= - golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= - golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= - golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -@@ -673,13 +673,13 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc - golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +@@ -609,13 +609,13 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= --golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= --golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -+golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= -+golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= + golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +-golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q= +-golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= ++golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= ++golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= --golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c= --golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o= -+golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= -+golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= +-golang.org/x/term v0.14.0 h1:LGK9IlZ8T9jvdy6cTdfKUCltatMFOehAQo9SRC46UQ8= +-golang.org/x/term v0.14.0/go.mod h1:TySc+nGkYR6qt8km8wUhuFRTVSMIX3XPR58y2lC8vww= ++golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= ++golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -@@ -690,8 +690,8 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= - golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= - golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= - golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= --golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4= --golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= -+golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= -+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= - golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= - golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= - golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -@@ -752,8 +752,8 @@ golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= - golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= - golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= - golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= --golang.org/x/tools v0.9.3 h1:Gn1I8+64MsuTb/HpH+LmQtNas23LhUVr3rYZ0eKuaMM= --golang.org/x/tools v0.9.3/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= -+golang.org/x/tools v0.12.0 h1:YW6HUoUmYBpwSgyaGaZq1fHjrBjX1rlpZ54T6mu2kss= -+golang.org/x/tools v0.12.0/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM= - golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= - golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= - golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -@@ -825,8 +825,10 @@ google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6D - google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= - google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= - google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= --google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 h1:KpwkzHKEF7B9Zxg18WzOa7djJ+Ha5DzthMyZYQfEn2A= --google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU= -+google.golang.org/genproto/googleapis/api v0.0.0-20230525234020-1aefcd67740a h1:HiYVD+FGJkTo+9zj1gqz0anapsa1JxjiSrN+BJKyUmE= -+google.golang.org/genproto/googleapis/api v0.0.0-20230525234020-1aefcd67740a/go.mod h1:ts19tUU+Z0ZShN1y3aPyq2+O3d5FUNNgT6FtOzmrNn8= -+google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 h1:0nDDozoAU19Qb2HwhXadU8OcsiO/09cnTqhUtq2MEOM= -+google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA= - google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= - google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= - google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= -@@ -914,8 +916,8 @@ k8s.io/klog/v2 v2.90.1 h1:m4bYOKall2MmOiRaR1J+We67Do7vm9KiQVlT96lnHUw= - k8s.io/klog/v2 v2.90.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= - k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg= - k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg= --k8s.io/kubernetes v1.27.2 h1:g4v9oY6u7vBUDEuq4FvC50Bbw2K7GZuvM00IIESWVf4= --k8s.io/kubernetes v1.27.2/go.mod h1:U8ZXeKBAPxeb4J4/HOaxjw1A9K6WfSH+fY2SS7CR6IM= -+k8s.io/kubernetes v1.27.8 h1:K848lTo/D0jvrxUlTvw4nNADixbhXLHgKNDP/KlFGy8= -+k8s.io/kubernetes v1.27.8/go.mod h1:PUXXrx0IhAi+kI9BMDqNJHUnLndVv9W0DkriqyjuJOs= - k8s.io/utils v0.0.0-20230313181309-38a27ef9d749 h1:xMMXJlJbsU8w3V5N2FLDQ8YgU8s1EoULdbQBcAeNJkY= - k8s.io/utils v0.0.0-20230313181309-38a27ef9d749/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +@@ -841,8 +841,8 @@ k8s.io/kms v0.28.4 h1:PMgY/3CQTWP9eIKmNQiTgjLIZ0ns6O+voagzD2/4mSg= + k8s.io/kms v0.28.4/go.mod h1:HL4/lR/bhjAJPbqycKtfhWiKh1Sp21cpHOL8P4oo87w= + k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ= + k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM= +-k8s.io/kubernetes v1.28.3 h1:XTci6gzk+JR51UZuZQCFJ4CsyUkfivSjLI4O1P9z6LY= +-k8s.io/kubernetes v1.28.3/go.mod h1:NhAysZWvHtNcJFFHic87ofxQN7loylCQwg3ZvXVDbag= ++k8s.io/kubernetes v1.28.4 h1:aRNxs5jb8FVTtlnxeA4FSDBVKuFwA8Gw40/U2zReBYA= ++k8s.io/kubernetes v1.28.4/go.mod h1:BTzDCKYAlu6LL9ITbfjwgwIrJ30hlTgbv0eXDoA/WoA= + k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk= + k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= -- 2.43.0 - diff --git a/images/curl/Earthfile b/images/curl/Earthfile deleted file mode 100644 index 06d3d8e1a5..0000000000 --- a/images/curl/Earthfile +++ /dev/null @@ -1,5 +0,0 @@ -VERSION 0.7 - -image: - FROM curlimages/curl:7.78.0 - WORKDIR /tmp diff --git a/images/designate/Dockerfile b/images/designate/Dockerfile new file mode 100644 index 0000000000..677b5c9374 --- /dev/null +++ b/images/designate/Dockerfile @@ -0,0 +1,33 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +FROM openstack-venv-builder AS build +ARG DESIGNATE_GIT_REF +ADD --keep-git-dir=true https://opendev.org/openstack/designate.git#${DESIGNATE_GIT_REF} /src/designate +RUN git -C /src/designate fetch --unshallow +RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private < /etc/apt/sources.list.d/ceph.list - ELSE IF [ "$(lsb_release -sc)" = "jammy" ] - RUN echo "deb http://download.ceph.com/debian-reef/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/ceph.list - ELSE - RUN echo "${RELEASE} is not supported on $(lsb_release -sc)" - RUN exit 1 - END - DO ../+APT_INSTALL --PACKAGES="ceph-common cgroup-tools dmidecode ebtables iproute2 ipxe-qemu kmod libvirt-clients libvirt-daemon-system openssh-client openvswitch-switch ovmf pm-utils qemu-block-extra qemu-efi qemu-kvm seabios" - DO ../+CREATE_PROJECT_USER --PROJECT=nova - ARG REGISTRY=ghcr.io/vexxhost/atmosphere - SAVE IMAGE --push ${REGISTRY}/libvirtd:${RELEASE} - -image: - BUILD --platform linux/amd64 --platform linux/arm64 +platform-image diff --git a/images/libvirtd/keyrings/ceph.gpg b/images/libvirtd/keyrings/ceph.gpg deleted file mode 100644 index c5d8bd3994..0000000000 Binary files a/images/libvirtd/keyrings/ceph.gpg and /dev/null differ diff --git a/images/magnum/Dockerfile b/images/magnum/Dockerfile new file mode 100644 index 0000000000..06ebac1b2d --- /dev/null +++ b/images/magnum/Dockerfile @@ -0,0 +1,45 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +FROM ubuntu AS helm +ARG TARGETOS +ARG TARGETARCH +ARG HELM_VERSION=3.14.0 +ADD https://get.helm.sh/helm-v${HELM_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz /helm.tar.gz +RUN tar -xzf /helm.tar.gz +RUN mv /${TARGETOS}-${TARGETARCH}/helm /usr/bin/helm + +FROM openstack-venv-builder AS build +ARG MAGNUM_GIT_REF +ADD --keep-git-dir=true https://opendev.org/openstack/magnum.git#${MAGNUM_GIT_REF} /src/magnum +RUN git -C /src/magnum fetch --unshallow +# COPY patches/magnum /patches/magnum +# RUN git -C /src/magnum apply --verbose /patches/magnum/* +RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private < -Date: Fri, 22 Sep 2023 16:25:10 +0200 -Subject: [PATCH] fix netns deletion of broken namespaces - -normal network namespaces are bind-mounted to files under -/var/run/netns. If a process deleting a network namespace gets killed -during that operation there is the chance that the bind mount to the -netns has been removed, but the file under /var/run/netns still exists. - -When the neutron-ovn-metadata-agent tries to clean up such network -namespaces it first tires to validate that the network namespace is -empty. For the cases described above this fails, as this network -namespace no longer really exists, but is just a stray file laying -around. - -To fix this we treat network namespaces where we get an `OSError` with -errno 22 (Invalid Argument) as empty. The calls to pyroute2 to delete -the namespace will then clean up the file. - -Additionally we add a guard to teardown_datapath to continue even if -this fails. failing to remove a datapath is not critical and leaves in -the worst case a process and a network namespace running, however -previously it would have also prevented the creation of new datapaths -which is critical for VM startup. - -Closes-Bug: #2037102 -Change-Id: I7c43812fed5903f98a2e491076c24a8d926a59b4 -(cherry picked from commit 566fea3fed837b0130023303c770aade391d3d61) ---- - neutron/agent/linux/ip_lib.py | 17 ++++++++++++- - neutron/agent/ovn/metadata/agent.py | 5 +++- - neutron/tests/unit/agent/linux/test_ip_lib.py | 15 +++++++++++ - .../unit/agent/ovn/metadata/test_agent.py | 25 +++++++++++++++++++ - 4 files changed, 60 insertions(+), 2 deletions(-) - -diff --git a/neutron/agent/linux/ip_lib.py b/neutron/agent/linux/ip_lib.py -index 10bd33d9e1..5d2593da47 100644 ---- a/neutron/agent/linux/ip_lib.py -+++ b/neutron/agent/linux/ip_lib.py -@@ -259,7 +259,22 @@ class IPWrapper(SubProcessBase): - return ip - - def namespace_is_empty(self): -- return not self.get_devices() -+ try: -+ return not self.get_devices() -+ except OSError as e: -+ # This can happen if we previously got terminated in the middle of -+ # removing this namespace. In this case the bind mount of the -+ # namespace under /var/run/netns will be removed, but the namespace -+ # file is still there. As the bind mount is gone we can no longer -+ # access the namespace to validate that it is empty. But since it -+ # should have already been removed we are sure that the check has -+ # passed the last time and since the namespace is unuseable that -+ # can not have changed. -+ # Future calls to pyroute2 to remove that namespace will clean up -+ # the leftover file. -+ if e.errno == errno.EINVAL: -+ return True -+ raise e - - def garbage_collect_namespace(self): - """Conditionally destroy the namespace if it is empty.""" -diff --git a/neutron/agent/ovn/metadata/agent.py b/neutron/agent/ovn/metadata/agent.py -index 1745239701..861715d8e1 100644 ---- a/neutron/agent/ovn/metadata/agent.py -+++ b/neutron/agent/ovn/metadata/agent.py -@@ -430,7 +430,10 @@ class MetadataAgent(object): - ns.startswith(NS_PREFIX) and - ns not in metadata_namespaces] - for ns in unused_namespaces: -- self.teardown_datapath(self._get_datapath_name(ns)) -+ try: -+ self.teardown_datapath(self._get_datapath_name(ns)) -+ except Exception: -+ LOG.exception('Error unable to destroy namespace: %s', ns) - - # resync all network namespaces based on the associated datapaths, - # even those that are already running. This is to make sure -diff --git a/neutron/tests/unit/agent/linux/test_ip_lib.py b/neutron/tests/unit/agent/linux/test_ip_lib.py -index d1c74fb3f7..159cafdb8e 100644 ---- a/neutron/tests/unit/agent/linux/test_ip_lib.py -+++ b/neutron/tests/unit/agent/linux/test_ip_lib.py -@@ -357,6 +357,21 @@ class TestIpWrapper(base.BaseTestCase): - self.assertNotIn(mock.call().delete('ns'), - ip_ns_cmd_cls.mock_calls) - -+ def test_garbage_collect_namespace_existing_broken(self): -+ with mock.patch.object(ip_lib, 'IpNetnsCommand') as ip_ns_cmd_cls: -+ ip_ns_cmd_cls.return_value.exists.return_value = True -+ -+ ip = ip_lib.IPWrapper(namespace='ns') -+ -+ with mock.patch.object(ip, 'get_devices', -+ side_effect=OSError(errno.EINVAL, None) -+ ) as mock_get_devices: -+ self.assertTrue(ip.garbage_collect_namespace()) -+ -+ mock_get_devices.assert_called_once_with() -+ expected = [mock.call().delete('ns')] -+ ip_ns_cmd_cls.assert_has_calls(expected) -+ - @mock.patch.object(priv_lib, 'create_interface') - def test_add_vlan(self, create): - retval = ip_lib.IPWrapper().add_vlan('eth0.1', 'eth0', '1') -diff --git a/neutron/tests/unit/agent/ovn/metadata/test_agent.py b/neutron/tests/unit/agent/ovn/metadata/test_agent.py -index 6df7da702d..9bf9f0db52 100644 ---- a/neutron/tests/unit/agent/ovn/metadata/test_agent.py -+++ b/neutron/tests/unit/agent/ovn/metadata/test_agent.py -@@ -134,6 +134,31 @@ class TestMetadataAgent(base.BaseTestCase): - lnn.assert_called_once_with() - tdp.assert_called_once_with('3') - -+ def test_sync_teardown_namespace_does_not_crash_on_error(self): -+ """Test that sync tears down unneeded metadata namespaces. -+ Even if that fails it continues to provision other datapaths -+ """ -+ with mock.patch.object( -+ self.agent, 'provision_datapath') as pdp,\ -+ mock.patch.object( -+ ip_lib, 'list_network_namespaces', -+ return_value=['ovnmeta-1', 'ovnmeta-2', 'ovnmeta-3', -+ 'ns1', 'ns2']) as lnn,\ -+ mock.patch.object( -+ self.agent, 'teardown_datapath', -+ side_effect=Exception()) as tdp: -+ self.agent.sync() -+ -+ pdp.assert_has_calls( -+ [ -+ mock.call(p.datapath) -+ for p in self.ports -+ ], -+ any_order=True -+ ) -+ lnn.assert_called_once_with() -+ tdp.assert_called_once_with('3') -+ - def test_get_networks_datapaths(self): - """Test get_networks_datapaths returns only datapath objects for the - networks containing vif ports of type ''(blank) and 'external'. --- -2.34.1 diff --git a/images/neutron/patches/neutron/0001-fix-ovn-set-mtu-in-external_ids-correctly.patch b/images/neutron/patches/neutron/0001-fix-ovn-set-mtu-in-external_ids-correctly.patch new file mode 100644 index 0000000000..2605324990 --- /dev/null +++ b/images/neutron/patches/neutron/0001-fix-ovn-set-mtu-in-external_ids-correctly.patch @@ -0,0 +1,38 @@ +From f8ec437329510ef59c81084712dbfe49528ef56d Mon Sep 17 00:00:00 2001 +From: Mohammed Naser +Date: Thu, 28 Mar 2024 14:38:43 -0400 +Subject: [PATCH] fix(ovn): set mtu in external_ids correctly + +In the previous patch, we did account for the MTU showing up +in the external IDs however the code only sets it if it's using +a remote managed port binding. This code instead sets the binding +for all the inerface types instead. + +Related-Change-Id: I7ff300e9634e5e3fc68d70540392109fd8b9babc +Closes-Bug: 2053274 +Change-Id: I0653c83c5fb595847bb61182223db39b2f7e98c6 +--- + .../plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py b/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py +index 3e7bc5c01f..6f9e90afde 100644 +--- a/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py ++++ b/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py +@@ -480,11 +480,13 @@ class OVNClient(object): + # HA Chassis Group will bind the port to the highest + # priority Chassis + if port_type != ovn_const.LSP_TYPE_EXTERNAL: ++ port_net = self._plugin.get_network( ++ context, port['network_id']) ++ mtu = str(port_net['mtu']) + if (vnic_type == portbindings.VNIC_REMOTE_MANAGED and + ovn_const.VIF_DETAILS_PF_MAC_ADDRESS in binding_prof): + port_net = self._plugin.get_network( + context, port['network_id']) +- mtu = str(port_net['mtu']) + options.update({ + ovn_const.LSP_OPTIONS_VIF_PLUG_TYPE_KEY: 'representor', + ovn_const.LSP_OPTIONS_VIF_PLUG_MTU_REQUEST_KEY: mtu, +-- +2.34.1 diff --git a/images/nova-ssh/Dockerfile b/images/nova-ssh/Dockerfile new file mode 100644 index 0000000000..a513530185 --- /dev/null +++ b/images/nova-ssh/Dockerfile @@ -0,0 +1,26 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +FROM openstack-runtime +RUN < 23.0.1.dev6 therefore -# we ignore those old CVEs. -CVE-2012-3542 -CVE-2012-4413 -CVE-2013-2256 -CVE-2013-4179 -CVE-2014-3517 -CVE-2014-3608 -CVE-2014-3641 -CVE-2014-3708 -CVE-2015-0259 -CVE-2015-3221 -CVE-2015-3280 -CVE-2015-5251 -CVE-2015-5286 -CVE-2015-7713 diff --git a/images/trivy/Earthfile b/images/trivy/Earthfile deleted file mode 100644 index 8f68625464..0000000000 --- a/images/trivy/Earthfile +++ /dev/null @@ -1,8 +0,0 @@ -VERSION 0.7 - -image: - FROM aquasec/trivy:0.48.3 - COPY .trivyignore /.trivyignore - # TODO(mnaser): Add automatic updates - RUN trivy image --download-db-only - RUN trivy image --download-java-db-only diff --git a/images/ubuntu-cloud-archive/Dockerfile b/images/ubuntu-cloud-archive/Dockerfile new file mode 100644 index 0000000000..cffeaac6e2 --- /dev/null +++ b/images/ubuntu-cloud-archive/Dockerfile @@ -0,0 +1,20 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +FROM ubuntu +COPY trusted.gpg.d/ubuntu-cloud-keyring.gpg /etc/apt/trusted.gpg.d/ubuntu-cloud-keyring.gpg +ARG RELEASE +COPY < str: + response = requests.get( + f"https://opendev.org/api/v1/repos/openstack/{project}/commits", + params={"sha": branch, "limit": 1}, + ) + response.raise_for_status() + + return response.json()[0]["sha"] + + +def main(): + tmpl = jinja2.Template(TEMPLATE) + + for project in OPENSTACK_PROJECTS: + branch = BRANCH + if project == "tempest": + branch = "master" + + print( + tmpl.render( + { + "project": project, + "branch": branch, + "git_ref": get_latest_commit(project, branch), + } + ) + ) + + +if __name__ == "__main__": + main() diff --git a/zuul.d/docker-images/base.yaml b/zuul.d/docker-images/base.yaml new file mode 100644 index 0000000000..221b6746f2 --- /dev/null +++ b/zuul.d/docker-images/base.yaml @@ -0,0 +1,47 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-buildset-registry + # gate: + # jobs: + # - atmosphere-buildset-registry + # promote: + # jobs: + # - atmosphere-buildset-registry + +- job: + name: atmosphere-buildset-registry + parent: ci-buildset-registry + +- job: + name: atmosphere-build-container-image + parent: ci-build-container-image + abstract: true + dependencies: + - name: atmosphere-buildset-registry + soft: false + vars: &image_vars + promote_container_image_method: intermediate-registry + +# - job: +# name: atmosphere-upload-container-image +# parent: ci-upload-container-image +# abstract: true +# dependencies: +# - name: atmosphere-buildset-registry +# soft: false +# vars: *image_vars diff --git a/zuul.d/docker-images/ubuntu.yaml b/zuul.d/docker-images/ubuntu.yaml new file mode 100644 index 0000000000..fc321a9893 --- /dev/null +++ b/zuul.d/docker-images/ubuntu.yaml @@ -0,0 +1,50 @@ +# Copyright (c) 2024 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- project: + check: + jobs: + - atmosphere-build-container-image-ubuntu + # gate: + # jobs: + # - atmosphere-upload-container-image-ubuntu + # promote: + # jobs: + # - atmosphere-promote-container-image-ubuntu + +- job: + name: atmosphere-build-container-image-ubuntu + parent: atmosphere-build-container-image + vars: &container_image_vars + promote_container_image_job: atmosphere-upload-container-image-ubuntu + container_images: + - context: images/ubuntu + repository: registry.atmosphere.dev/library/ubuntu + tags: + - "zed" + - "zed-{{ ansible_date_time.epoch }}" + files: &container_image_files + - images/ubuntu/.* + +# - job: +# name: atmosphere-upload-container-image-ubuntu +# parent: atmosphere-upload-container-image +# vars: *container_image_vars +# files: *container_image_files + +# - job: +# name: atmosphere-promote-docker-image-ubuntu +# parent: atmosphere-promote-docker-image +# vars: *docker_image_vars +# files: *docker_image_files diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index 9a3382883e..ceee9b9387 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -12,20 +12,6 @@ # License for the specific language governing permissions and limitations # under the License. -- job: - name: atmosphere-buildset-registry - pre-run: zuul.d/playbooks/buildset-registry/pre.yml - run: zuul.d/playbooks/buildset-registry/run.yml - ansible-split-streams: true - -- job: - name: atmosphere-upload-images - parent: atmosphere-buildset-registry - run: zuul.d/playbooks/buildset-registry/run.yml - secrets: - - registry_credentials - - cosign_key - - job: name: atmosphere-molecule parent: tox @@ -34,7 +20,8 @@ run: zuul.d/playbooks/molecule/run.yml post-run: zuul.d/playbooks/molecule/post.yml dependencies: - - atmosphere-buildset-registry + - name: atmosphere-build-container-image-ubuntu + soft: true - job: name: atmosphere-molecule-keycloak diff --git a/zuul.d/playbooks/buildset-registry/run.yml b/zuul.d/playbooks/buildset-registry/run.yml index 7f8118c21a..98d50e157d 100644 --- a/zuul.d/playbooks/buildset-registry/run.yml +++ b/zuul.d/playbooks/buildset-registry/run.yml @@ -53,8 +53,27 @@ [registry."{{ buildset_registry.host }}:{{ buildset_registry.port }}"] ca=["/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/ca.crt"] + # NOTE(mnaser): https://www.augmentedmind.de/2023/11/19/advanced-buildkit-caching/ + - name: Tune Buildkit for more aggressive caching + become: true + ansible.builtin.blockinfile: + create: yes + path: /etc/buildkitd.toml + block: | + [worker.oci] + enabled = true + gc = true + + [[worker.oci.gcpolicy]] + filters = ["type==source.local", "type==exec.cachemount", "type==source.git.checkout"] + keepBytes = 37580963840 # 35 GB, expressed in bytes + + [[worker.oci.gcpolicy]] + all = true + keepBytes = 64424509440 # 60 GB, expressed in bytes + - name: Create builder - ansible.builtin.shell: docker buildx create --name=atmosphere --driver=docker-container {% if buildset_registry.cert %}--config /etc/buildkitd.toml{% endif %} + ansible.builtin.shell: docker buildx create --name=atmosphere --driver=docker-container --config /etc/buildkitd.toml - name: Point registry to Atmosphere if in post pipeline when: zuul.pipeline == 'post' diff --git a/zuul.d/playbooks/molecule/pre.yml b/zuul.d/playbooks/molecule/pre.yml index f9f2213366..56429e7161 100644 --- a/zuul.d/playbooks/molecule/pre.yml +++ b/zuul.d/playbooks/molecule/pre.yml @@ -59,8 +59,8 @@ - name: Replace the registry in image manifest ansible.builtin.replace: path: "{{ zuul.project.src_dir }}/roles/defaults/vars/main.yml" - regexp: "registry.atmosphere.dev/library/([^@]*)@sha256:[a-fA-F0-9]{64}" - replace: '{{ buildset_registry.host }}:{{ buildset_registry.port }}/library/\1' + regexp: "registry.atmosphere.dev/library/" + replace: '{{ buildset_registry.host }}:{{ buildset_registry.port }}/library/' # TODO(mnaser): Drop this when we move to PBR - name: Add current folder to Git's safe directories diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 55e21fa8db..a94f6dcdaa 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -15,12 +15,8 @@ - project: check: jobs: - - atmosphere-buildset-registry - atmosphere-molecule-aio-openvswitch - atmosphere-molecule-aio-ovn - atmosphere-molecule-csi-local-path-provisioner - atmosphere-molecule-csi-rbd - atmosphere-molecule-keycloak - post: - jobs: - - atmosphere-upload-images